nixfiles/config/services/nginx.nix

{ config, lib, pkgs, ... }: let 
  inherit (lib) mkDefault;
in {
  kyouma.deployment.tags = [ "web" ];
  security.dhparams.enable = true;
  security.dhparams.params.nginx = {};
  security.acme = {
    acceptTerms = true;
    defaults = {
      keyType = "ec256";
      email = "noc@kyouma.net";
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  networking.firewall.allowedUDPPorts = [ 443 ];
  services.nginx = {
    enable = true;
    package = mkDefault pkgs.nginxQuic;
    
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    sslProtocols = mkDefault "TLSv1.3";
    sslDhparam = config.security.dhparams.params.nginx.path;

    clientMaxBodySize = mkDefault "128M";
    commonHttpConfig = ''
      map $scheme $hsts_header {
        https   "max-age=31536000; includeSubdomains; preload";
      }
      add_header Strict-Transport-Security 	$hsts_header;
      add_header X-Content-Type-Options 	  "nosniff" always;
      add_header X-XSS-Protection 		      "1; mode=block" always;
      add_header X-Frame-Options 		        "SAMEORIGIN" always;
      add_header Referrer-Policy 		        "same-origin" always;
      add_header Alt-Svc                    'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';
      #add_header Content-Security-Policy    "script-src 'self'; object-src 'none'; base-uri 'none';" always;
    '';
    eventsConfig = ''
      multi_accept on;
    '';
    appendConfig = ''
      worker_processes auto;
    '';
  };
}
nginx: enable http3 2024-11-04 18:51:13 +01:00			`{ config, lib, pkgs, ... }: let`
			`inherit (lib) mkDefault;`
			`in {`
changed deployment options and some fixes 2024-04-27 19:35:52 +02:00			`kyouma.deployment.tags = [ "web" ];`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`security.dhparams.enable = true;`
			`security.dhparams.params.nginx = {};`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults = {`
			`keyType = "ec256";`
			`email = "noc@kyouma.net";`
			`};`
			`};`
florp.social: add dedicated host 2024-11-04 21:19:57 +01:00			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
nginx: enable http3 2024-11-04 18:51:13 +01:00			`networking.firewall.allowedUDPPorts = [ 443 ];`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`services.nginx = {`
			`enable = true;`
nginx: enable http3 2024-11-04 18:51:13 +01:00			`package = mkDefault pkgs.nginxQuic;`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`

			`sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";`
i think the web thingy is kinda done 2024-01-11 12:43:58 +01:00			`sslProtocols = mkDefault "TLSv1.3";`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`sslDhparam = config.security.dhparams.params.nginx.path;`

i think the web thingy is kinda done 2024-01-11 12:43:58 +01:00			`clientMaxBodySize = mkDefault "128M";`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`commonHttpConfig = ''`
			`map $scheme $hsts_header {`
i think the web thingy is kinda done 2024-01-11 12:43:58 +01:00			`https "max-age=31536000; includeSubdomains; preload";`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`}`
i think the web thingy is kinda done 2024-01-11 12:43:58 +01:00			`add_header Strict-Transport-Security $hsts_header;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header Referrer-Policy "same-origin" always;`
nginx: enable http3 2024-11-04 18:51:13 +01:00			`add_header Alt-Svc 'h3=":443"; ma=7776000; persist=1, h2=":443"; ma=7776000; persist=1';`
i think the web thingy is kinda done 2024-01-11 12:43:58 +01:00			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`'';`
librespeed,graphical: minor fixes 2024-09-27 00:06:27 +02:00			`eventsConfig = ''`
			`multi_accept on;`
			`'';`
			`appendConfig = ''`
			`worker_processes auto;`
			`'';`
moved things around mainly nginx 2024-01-10 13:32:18 +01:00			`};`
			`}`